Category Archives: Blog

Mississauga, ON February 14, 2017 – MNP announced today that CRN®, a brand of The Channel Company, has named MNP to its 2017 Managed Service Provider (MSP) 500 list in the Managed Security 100 category. This annual list recognizes North American solution providers with cutting-edge approaches to delivering managed services. Their offerings help companies navigate the complex and ever-changing landscape of IT, improve operational efficiencies, and maximize their return on IT investments.

In today’s fast-paced business environments, MSPs play an important role in helping companies leverage new technologies without straining their budgets or losing focus on their core business. CRN’s MSP 500 list shines a light on the most forward-thinking and innovative of these key organizations.

The list is divided into three categories: the MSP Pioneer 250, recognizing companies with business models weighted toward managed services and largely focused on the SMB market; the MSP Elite 150, recognizing large, data center-focused MSPs with a strong mix of on-premise and off-premise services; and the Managed Security 100, recognizing MSPs focused primarily on off-premise, cloud-based security services.

“Managed service providers play an increasingly important role in the day-to-day operations of businesses across North America,” said Robert Faletra, CEO of The Channel Company. “MSPs help organizations streamline their spending, effectively allocate limited resources, and benefit from advanced expertise in the latest technologies. We congratulate the service providers on CRN’s 2017 MSP500 list, who have continually succeeded in meeting their customers’ changing needs and help them get the most out of their IT investments.”

“Over a year ago, we successfully updated our Cyber Security Managed Services offerings by expanding our unique services and leading this market with an innovative business solution. Our managed services provides our clients with a team of qualified Cyber Security experts including a virtual chief information officer (VCISO) who will guide your business to increase its cyber security maturity through our monthly reviews. Unlike most of our competition who provide monitoring, we believe in being proactive for our clients cyber security.” Danny Timmins National Cyber Security Leader

The MSP500 list will be featured in the February 2017 issue of CRN and online at www.CRN.com/msp500.

MNP is a leading national accounting, tax and business consulting firm in Canada. We proudly serve and respond to the needs of our clients in the public, private and not-for-profit sectors. Through partner-led engagements, we provide a collaborative, cost-effective approach to doing business and personalized strategies to help organizations succeed across the country and around the world.

As a premier full service provider of cyber security solutions, MNP is dedicated to securing the confidentiality, integrity and availability of networks. Our client-focused delivery and extensive experience in network assessment, design, engineering, project management, installation, implementation, support and maintenance has resulted in a 98% client retention rate.

NCI is pleased to announce we have merged with MNP, one of the largest National accounting and business consulting firms in Canada, effective April 1, 2016

Cybersecurity is more than a technology issue, it’s a critical business risk and one of the leading and growing business threats in the world. While MNP wanted to enhance their services in cybersecurity for their clients, NCI was looking to expand our service capability across the country, while offering other specialty consulting and risk services to our valued clients. It’s truly a win-win situation for both our firms and the clients we serve.

Our clients can be assured they will receive the same level of commitment and will benefit from the additional knowledge, resources and experience in numerous industry and specialty areas — across more than 80 locations from Victoria to Montreal. As part of MNP, we will continue to deliver value-added services to our clients by drawing on MNP’s expertise in many disciplines.

We look forward to continuing to meet your needs through MNP.

For more information, visit www.mnp.ca or contact Danny Timmins at 905.607.9777 ext. 230

TUESDAY, MARCH 8, 2016, CALGARY, AB – MNP LLP, one of Canada’s largest national accounting and business consulting firms, announced today that NCI, a cybersecurity services and solutions firm, will join MNP effective April 1, 2016.

“Cybersecurity is more than a technology issue, it’s a critical business risk and one of the leading and growing business threats in the world,” said Jason Tuffs, CEO, MNP. “As a firm, we wanted to enhance our services in cybersecurity for our clients and merging in a full-service cybersecurity firm of leading experts made the most sense. It’s truly a win-win situation for both our firms and the clients we serve.”

NCI was founded in 2000 by IT professionals Danny Timmins (CEO & President) and Eugene Ng (CIO). Their goal was to create a company that offered a full range of services and solutions related to cybersecurity. NCI has grown to include offices in Mississauga, ON and Montreal, QC, as well as satellite offices in Sydney, NS and St. John, NB.

“MNP already had a growing technology consulting and cybersecurity practice, but was looking for a like-minded firm to build on their strategic plans for growth in offering cybersecurity services and solutions. At the same time, we were looking to expand our service capability across the country, while offering other specialty consulting and risk services to our valued clients,” added Danny Timmins, CEO & President, NCI.

“MNP and NCI had discussed opportunities to work together over the last few years. As we got to know each other better, both firms grew quite impressed with each other’s people, experience and expertise. This is a truly a mutually-beneficial union and we are very excited to have found the perfect firm, one that puts clients first, that will allow us to offer clients a greater breadth of services to address their growing business needs.

As a national accounting and business consulting firm operating for more than 55 years, MNP has grown to more than 80 locations with over 3,500 team members from Victoria to Montreal. In addition to tax and accounting expertise, MNP delivers a diverse range of advisory services, including corporate finance, valuation and litigation support, succession planning, investigative and forensic accounting, cross-border taxation, as well a full breadth of services in enterprise risk services, including governance, risk management, internal audit, regulatory compliance, business resilience and operational effectiveness.

Tuffs added that this merger will take MNP’s Technology Solutions practice to a new level across the firm. “MNP focuses on strategic mergers for the benefit of our clients. This merger will allow us to build on our existing strengths and ensure we continue our client-focused approach to doing business while ensuring our clients are protected against growing cyber threats.”

Timmins will become MNP’s National Cybersecurity Leader and Ng will join as the firm’s Cybersecurity Leader for Eastern Canada. Timmins expects the transition to be seamless for their team and clients. While the Montreal NCI staff will move into MNP’s Montreal office, the remaining NCI locations, including their main office in Mississauga, will remain in their current locations.

About MNP LLPMNP is one of the largest national accounting and consulting firms in Canada, providing client-focused accounting, taxation and consulting advice. National in scope and local in focus, MNP has proudly served individuals and public and private companies for more than 55 years. Through the development of strong relationships, MNP provides personalized strategies and a local perspective to help them succeed. For more information, visit www.mnp.ca.

We are very excited to share the news that we will merge with MNP LLP, one of the largest national accounting and business consulting firms across Canada, April 1, 2016. MNP has over 80 offices across the country, with several in Ontario, including Mississauga, Ottawa, Thunder Bay, Toronto, as well as in Montreal. MNP has a growing Technology Risk Services practice and was looking for a like-minded firm to build on their strategic plans for growth in offering Cybersecurity Services and solutions.

At the same time, we were looking to expand our service capability across the country, while offering other specialty consulting and risk services to our valued clients. Over the last few years, both our firms have talked about opportunities to work together. As we got to know each other better, both firms grew quite impressed with each other’s people, experience and expertise. We believe coming together is a win/win situation for our two firms and our clients. We are very excited to have found the perfect firm, one that puts clients first, to join forces with and offer a greater breadth of Enterprise Risk Services to address your growing needs.

As the fifth largest national accounting and business consulting firm, operating for 57 years, MNP has grown their team to more than 3,500 members from Victoria to Montreal, who focus on what matters most—helping individuals and businesses achieve their goals. In addition to tax and accounting expertise, MNP delivers a diverse range of advisory services, including enterprise risk, corporate finance, valuation and litigation support, succession planning, investigative and forensic accounting, cross-border taxation, as well a full-breadth of services in enterprise risk services, including governance, risk management, internal audit, regulatory compliance, business resilience and operational effectiveness.

MNP also serves numerous client groups in the private and public sectors and understands the specialized markets in which our clients operate. MNP has a large national presence and access to hundreds of experts and specialists, as well as access to a global network of accounting firms through Praxity—an international alliance of independent accounting firms. By joining MNP, we are adding more resources, more services and experience to better serve the needs of our clients with all their business needs.

As the marketplace evolves and our client needs become more complex, we are embarking on a new chapter of our story. We believe becoming part of a national firm with a local client service philosophy and greater breadth and depth of resources will serve our clients well and position us for continued success and growth. Coming together will strengthen and deepen our existing leadership and offer our clients business advice specifically tailored to their businesses and industries.

We understand you may have questions about the merger’s effect on the continuity of your relationships with the professionals you have come to know and trust. You can be assured the team of talented professionals currently working with you will remain in place and that this merger will be very seamless. With the added talent and industry expertise MNP brings, any new professionals working with you will be an enhancement of the client service we deliver now. While our name will change eventually, our level of service and responsiveness to our client needs will always remain the same.

Eugene, the Team and I will remain the same. Eugene will join as the firm’s Cyber Security Leader for Eastern Canada and I will become MNP’s National Cybersecurity Leader. We expect the transition to be seamless for our team and you the clients.

We will remain in our present locations and look forward to serving you as part of the MNP team. If you have any questions about this transition, please don’t hesitate to contact us:

Sometimes I spend time on the Twitterverse watching what is bouncing around in the echo chamber. Occasionally something builds up some feedback and catches my ear. Recently I saw some posts from a particular tweep (who shall remain nameless) and he was on about “when was the last time you spoke to your executives about security?” and “do your executives understand the business aspects of security?” He was posing questions but were light on answers, I suppose because he wanted you to contact his company and get some of those answers. That’s his prerogative, but myself, I prefer to treat twitter like a giant open conversation not a marketing channel.

Nevertheless it got me to thinking. Do executives understand the business aspects of security? I think that is the wrong question and has things the wrong way around. Rather the question is “do you know the business aspects of your security decisions?” Can you communicate them to people up the chain of responsibility? Can you connect the dots from what you are trying to do, to what business leaders are concerned with?

Hold up there, what exactly are executives concerned about? In my opinion we tend to get tied up in knots about this. I don’t think it’s all that mysterious. We could just ask them, in fact that’s what Chris Wysopal did. He shared his findings at Sector 2015 in the CISO Survival Guide presentation. Here is what he found execs are concerned with:

Brand damage

Breach costs, readiness, response

Corporate espionage

Risk posture and exposure

This immediately raises another set of questions to me: how do you communicate such things? What are the metrics that would be interesting and helpful?

At the highest levels there is cause for hope. The OpenFAIR framework gives us a way to conceptualize all of the above 4 things in a coherent fashion. It also allows us to communicate it in terms of likelihood and dollars. Metrics don’t get much clearer than that.

Let me connect the dots for you. You have a hunch that a SIEM would help (the actual control isn’t important for our discussion). It’s an expensive bit of kit, to say nothing of the care and feeding, and staff training. How can you justify that it’s worth it? Taking a control first approach, while our typical approach, is kind of backward. Instead we are going to run two risk analyses i) as a baseline without the SIEM, ii) as a comparison with the SIEM and how this additional control and all that it does can reduce the risk. This ultimately should translate into a reduction in the probability of a breach and/or a reduction in the costs of a breach. Is the reduction enough considering the cost of the SIEM? That’s a business decision and one that “the business” can now make since you’ve boiled things down into a language that they understand: probabilities and dollars.

There was a recent blog post on the PCI Guru blog, but it was a bit off the beaten path since it had seemingly nothing to do with PCI compliance; at least not directly. Dr. Brandon Williams decided to investigate if customers leave after a retailer suffers a breach. Did you stop shopping at Winners after their breach? For how long?

There are a number of interesting tidbits in the final report. But in general most customers come back after about six months. Breaches do not seem to create an incentive to leave a retailer permanently. This research may give some merchants the idea that breaches don’t matter as much as they think. And I agree with them, but only in this one aspect of their risk profile. There are other aspects to consider.

Our favoured risk analysis approach here at NCI is the OpenFAIR method. It categorizes losses into primary and secondary. Primary losses are the costs the company bears directly: i) response, ii) productivity, and iii) replacement. This is not what we are talking about when we consider loss of customers.

To have that discussion we need to talk about secondary losses. Secondary losses are due to a 2nd party acting based on the outcome of a breach. These three types of loss are:

Competitive Advantage – e.g. a competitor stole your product designs and gets to market before you

Reputation – e.g. a breach leading to customers leaving

What this paper talks about is the impact on reputation. Based on this research it would appear that the cost of reputational damage is not as great as many of the executive suite would fear. (Incidentally I have seen research that indicates that reputational damage is one of the top 3 things executives fear). You’ll take a hit, but as long as you can weather the storm of a couple of bad quarters you’ll be OK in the medium term.

It would appear, at first glance, that we can’t rely on reputation damage to move the needle on improving cyber security. At least if you view cyber security as a cost centre that has no possibility to generate competitive advantage on its own (but that’s another blog post). So if we do want to move the needle how to go about that? Market forces alone aren’t sufficient, perhaps regulation and compliance are going to be needed after all.

But what should your response be? Should you implement the risk mitigation that your security team is saying you should? As with everything in business it depends.

If you are can weather the storm and absorb the hit to your bottom line then you may choose to do nothing.

But you really should investigate just what the possible impacts of that 6 month decline would be (part of a quantitative risk analysis). Then weigh that against the cost of implementing the tools to reduce the chance of the breach in the first place. A $10k investment might reduce the chance of a $100k loss of revenue. 10% return is a pretty good deal.

If you’re a small firm, the loss of that much revenue might mean you are out of business, or have to go to the bank for a short term loan. In that case you should seriously consider implementing some kind of security control(s) to reduce the impacts of a breach.

Notice the common theme here? You’d be forgiven for missing it, I deliberately didn’t hit you over the head with it. You should do a quantitative risk assessment in order to make an informed decision. If you aren’t you’re doing your business a disservice.

CATA Alliance has released a Cyber Security Benchmark Survey. CATA is a strong supporter of improving Cyber Security across Canada, and with the results from this survey will work towards helping organizations achieve a better grasp on Cyber Security

The Canadian Advanced Technology Alliance (CATAAlliance) is Canada’s One Voice for Innovation Lobby Group, crowd sourcing ideas and guidance from thousands of opt in members in moderated social networks in Canada and key global markets. CATA is the foundation for commercialization, market research, networking, events, access to other associations, and professional development, across the nation. Learn more about CATA

How would you rate Canada and government leaders’ level of commitment and leadership as it relates to the growing threat of cyber attacks? *

1

2

3

4

5

no leadership or commitment demonstrated

( )

( )

( )

( )

( )

strong leadership on all cyber security issues

Do you feel that there are sufficient Canadian government resources for organizations wanting to prepare/counter cyber threats? *

1

2

3

4

5

insufficient resources to manage cyber threats

( )

( )

( )

( )

( )

superior resounces available within Canada to help organizations prepare and defend against cyber attacks

Have security threats affecting your industry decreased, stayed the same, or increased from last year? *

1

2

3

decreased

( )

( )

( )

increased

Has your cyber risk profile worsened, stayed the same, or improved from last year? *

1

2

3

worsened

( )

( )

( )

improved

Is this year’s cybersecurity budget lower, the same, or higher than last year? *

1

2

3

lower

( )

( )

( )

higher

Do you expect next year’s cybersecurity budget to be lower, the same, or higher than this year? *

1

2

3

lower

( )

( )

( )

higher

Are the number of full time equivalent (FTE) staff focused on cybersecurity lower, the same, or higher than last year? *

1

2

3

lower

( )

( )

( )

higher

Do you expect the number of FTE focused on cybersecurity next year to be lower, the same, or higher than this year? *

1

2

3

lower

( )

( )

( )

higher

How would you rate the current labour market for trained cybersecurity professionals? *

( ) Growing lack of skilled labour and a challenge for our organization

( ) Adequate access to skilled professionals

( ) No problem recruiting and retaining trained professionals

Has your organization established a team which can implement a response plan in the case of a cyber-incident? *

( ) Yes

( ) No

( ) Other:

What position at your organization is the primary point of contact for cyber incidents? *

What is your cybersecurity spend as a percentage of total IT spend? *

Does your organization vet and/or audit your vendors to ensure they are cyber safe and not putting your organization at risk? If yes, please explain (e.g., frequency, use of third party auditors, etc.) *

Does your organization have cyber liability insurance in place? *

( ) Yes

( ) No

Do your cybersecurity processes include the training of your staff? If yes, briefly describe the process, frequency and any monitoring of compliance and whether the training is mandatory. *

Should the private sector play a more active role in helping companies share cyber threat information? Please explain *

Do you feel that Canada’s current laws and regulations restrict the sharing of cyber threat information? *

November was a busy month here at NCI. Along with daily business, we also had a few initiatives we were supporting. Here’s a quick update:

On November 19th our CEO Danny Timmins spent a cold and damp night sleeping on the streets of Toronto in support of the Covenant House. Every year Covenant House hosts a Sleep Out for Executives in Support of the Homeless Youth in Toronto. This year they raised over $1 million.

Throughout the entire month of November, NCI hosted a Holiday Wishes Drive for the Peel Children’s Aid Foundation. We managed to raise over 100 items such as new toys, books, clothes, winter clothing and baby necessities.

If you’d like to find out more about PCAS or the Holiday Wishes program please visit the links below.

Ranking as one of the largest data breaches of the year and one of the first to target children, VTech has confirmed (via an FAQ about their data breach(3)) that on November 14, an unauthorized party accessed data on their Learning Lodge app store customer database and Kid Connect servers. In total over 4.8 million customer (parent) and 6.3 million child profiles have been compromised. The database stores information such as names, email addresses, passwords, password reset questions and answers, IP addresses, mailing addresses, child profiles (names, age, genders, and birthdates) and the download history for an account(2). Credit card information was not stored on the compromised servers so credit card details were not included in the attack.

The hack calls into question VTech’s security practices, which security researcher Troy Hunt(1) revealed that VTech demonstrated a “total lack of care” in securing customer data. This will be a call for many major international organizations to rethink their current information security safeguards as CyberSecurity attacks have become more and more prevalent. Large businesses like Sony, Home Depot, Target, Ashley Madison, and even the IRS have succumbed to information breaches in 2015 alone.

For better or for worse, “these types of breach notifications may become even more frequent in Canada depending on when Mandatory Breach Notification Bill S-4 will be enforced” says Eugene Ng, CIO of NCI. Ultimately, consumers can never be too careful when giving out personal information to any company, it is something everyone should be weary of. As such, companies should take all possible measures to secure their information and NCI can help solidify your CyberSecurity posture with assessments such as our Maturity and Threat Analysis™.

We are excited to be hosting our second Holiday Wishes Donations Drive for the Peel Children’s Aid Foundation. NCI hosted one last year and it was a great success. Even some of the little ones at home wanted to participate and gather toys!

Peel Children’s Aid Foundation is a non-profit organization to help children that are living in poverty, and in neglected or abusive situations.
Peel Kids offers a variety of services for children of all ages, including food donations, clothing and several programs to educate and provide counselling/support.
For more information please click here http://peelkidsfoundation.ca/index.aspx

Our Holiday Wishes Drive has started and will be running until November 30th.
If you would like to participate and put a smile on a child’s face this Christmas, please feel free to bring a donations to NCI Headquarters. All proceeds will be going to Peel Children’s Aid Foundation.